These two articles by Wladimir Palant make a great reading about the security of Adblock and the NoScript extension:
[adblockplus.org]
and
[adblockplus.org]

To cut a long story short: Guess a site that's in the user's whitelist, find an XSS vulnerability there and NoScript is of no help.
It still helps against those not knowing about NoScript or being to lazy to work around it.
It's most useful when your whitelist is empty, although deactivating JS would yield the same.

Greetings
xeen

xeen

First step after installing this great extension is to prevent the redirect to their site after every update(can happen a lot) as it gets quite annoying.
1. Enter about:config into the address bar.
2. Find noscript.firstRunRedirection and double click to change to false.
3. Be happy not being redirected to their site after every update.

jalopwill

Thanks for the tip. I'll read up on it.

SmallBusinessMarketing

Also check out the IDS for Firefox; Firekeeper:

[firekeeper.mozdev.org]

shane_mckinley

@xeen:
To cut a long story short: Mr. Palant ignores NoScript's anti-XSS filters, which make his (and your) arguments completely void. Just read the latest comment to the second article you posted: most web application security experts do use and recommend NoScript against XSS, to protect the integrity of the websites you trust and whitelisted.

NoScript's anti-XSS filters are actually the only effective client-side protection available against Cross Site Scripting and Cross Site Request Forgery, the vulnerabilities behind the GMail exploit we are discussing here.

If you need "a great reading about the security of the NoScript extension", look at this short post about XSS worms and Flash exploits, happily defeated by NoScript.

Greetings
wot4n

wot4n

this extension, though slightly invasive, is essential for me. i never worry about spyware and have never had to thanks to this baby.

amirman

It´s a extension that gives me little confidence because you can avoid it easily and if you don´t trust me go to this site (not dangerous of course) that disables this extension automatically including itself in the whitelist without your approval.

[www.darkreloaded.com]

Covarrubias

Thank you very much for shutting down my ability to use my computer in the middle of my work day. I have currently lost access to email accounts and I need to get this horrible product off of my computer as quickly as possible.

It really seemed like something I needed given the amount of internet research that I conduct for my job and I am disappointed that there is no warning about the MASSIVE disruption to my computer use that has followed the installation of this program.

Thank you for truly messing up my day.

nothappy

@wot4n: Except that he specifically mentions, and torpedos, the anti-XSS protections in the second link that xeen provided.

Don't get me wrong, Firefox with NoScript is probably more secure than Firefox without NoScript. But it's not the be-all, end-all of security. There is no system that is totally bulletproof, and only a fool would act otherwise.

HeartBurnKid

I've been running this extension on all my instances of Firefox work and home for over a year now. I'm used to visiting a new site and selectively choosing which script to run. If you are constantly going to new sites, it's a must have although annoying if don't realize why somethings aren't working or don't look right on a web site/page.

inajeep

@HeartBurnKid:
Yes, the article mentions and "torpedos" the anti-XSS protections, but as you can easily understand by reading the comments (especially the last), it misses the target because it's just ignorant about the way NoScript works (injection checks also across whitelisted sites) and maliciously tries to take advantage of the only known instance when they could have failed (and they didn't, because of another NoScript protection facet RSnake had configured, i.e. Flash blocking, which is now on by default). Anyway, the "hole" he talks about was already fixed 3 hours after the attack on RSnake, and nothing similar has been found so far notwithstanding the "Hacking NoScript" contest running on the famous RSnake's sla.ckers.org board since then.

I agree with you, no software is bullet proof and NoScript is not an exception, but Firefox with NoScript is many times safer than any other web browser around.

wot4n

The deal-breaker for me is that it renders keyword bookmarks that use javascript completely unusable is the site you're on isn't in the whitelist. For example, the GmailThis bookmarklet I learned about on LH ([lifehacker.com]). Anyone know a way around this other than temporarily adding the site you're on to the whitelist every time you use GmailThis?

jluce50

Been using it for quite sometime now. Very useful.

grimdeath18